State-enacted comprehensive consumer data privacy legislation is becoming more common across the United States. Connecticut is now the fifth state to enact such legislation, joining California, Colorado, Utah, and Virginia.[1]  Public Act No. 22-15—The “Act Concerning Personal Data Privacy and Online Monitoring” (also referred to as the “Connecticut Data Privacy Act” or “CTDPA”)—will go into effect in July 2023. With a year to go before the law is implemented, it is important for consumers and businesses to understand their rights and responsibilities under the CTDPA, and to prepare accordingly.

The CTDPA shares a number of similarities with other comprehensive state privacy laws. One similarity of the CTDPA to the Colorado Privacy Act (“CPA”), Utah Consumer Privacy Act (“UCPA”), and Virginia Consumer Data Protection Act (“VCDPA”) is that all of these laws do not apply to data that is collected in an employment or commercial context.[2] But the CTDPA also has its differences. One difference of the CTDPA from the UCPA and VCDPA is that the CTDPA includes both monetary and non-monetary consideration in the sale of personal data, while the UCPA and VCDPA includes only monetary consideration in the sale of personal data.[3]

What Rights Do Consumers Have?

Consumers can exercise six different rights with respect to their personal under the CTDPA.[4] These include the right to: confirm the processing of personal data; access personal data; correct inaccuracies in personal data; have personal data deleted; obtain a copy of personal data in a portable and readily usable form; and opt out of processing of personal data for targeted advertising, sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects involving the consumer.[5] This latter right is similar to the right to opt out of automated decision making found in Article 22 of the GDPR.[6]

For a consumer to exercise any of their rights under the CTDPA, the consumer must do so by way of “secure and reliable means” established by the data controller.[7] Children do not have the authority to exercise the CTDPA’s six consumer rights, but a parent or legal guardian may do so on a child’s behalf.[8]

What Requirements Do Businesses Have?

For a business to be subject to the CTDPA, the business must first meet at least one of two numeric thresholds, and then fall within the definition of a “controller.”[9] A business falls within the CTDPA’s requirements if during the preceding calendar year, the business controlled or processed the personal data or more than one hundred thousand consumers (not including data that was controlled or processed solely for the purpose of completing a payment transaction); or controlled or processed the personal data of more than twenty-five thousand consumers and more than twenty-five percent of the gross revenue of the business cause from the sale of personal data.[10]

Businesses are a “controller” of personal data if they solely or jointly with others determine the purpose and means of processing personal data.[11] Controllers must do a number of things, some of which include: limiting the collection of personal data to what is “adequate, relevant, and necessary” in relation to the purpose of processing that is disclosed to the consumer; implementing safeguards to protect the confidentiality, integrity, and accessibility of personal information; and not processing a consumer’s sensitive personal data without first obtaining the consumer’s consent.[12]

Who Has a Right of Action?

The CTDPA provides that the Connecticut attorney general’s office possesses the exclusive authority to enforce violations.[13] Thus, consumers do not have a private right of action for CTDPA violations. From July 1st, 2023, until December 31st, 2024, the attorney general must provide a notice of violation before bringing an action, but only if it is possible to cure the violation.[14] If it is not possible to cure the violation, the attorney general can immediately prosecute the violation.[15] Then, beginning on January 1st, 2025, the attorney general may consider five factors when determining whether to allow an opportunity to cure an alleged violation.[16] These six factors include: (i) the number of violations; (ii) the size and complexity of the controller or processor; (iii) the nature and extent of processing activities; (iv) the substantial likelihood of injury to the public; (v) the safety of persons or property; (vi) and whether the alleged violation was caused by human or technical error.[17]

Conclusion

Although Connecticut is the most recent state to have passed comprehensive consumer privacy legislation, it is certainly not the last. With the increasing number of states that have enacted comprehensive consumer privacy laws, and the similarities and differences that can exist between these laws, compliance can be difficult. Contact Zasio today to see how our innovative products and services can help you remain compliant across the growing patchwork of state data privacy laws.

[1] Cheryl Johnson et al., Connecticut’s New Privacy Law: What You Need to Know, JD Supra (May 23, 2022), https://www.jdsupra.com/legalnews/connecticut-s-new-privacy-law-what-you-8578081/.

[2] Devika Kornbacher and Marcus Lind-Martinez, A “New Haven” for Privacy: Connecticut Enacts Data Privacy Act, JD Supra (May 13, 2022), https://www.jdsupra.com/legalnews/a-new-haven-for-privacy-connecticut-6142711/.

[3] Devika Kornbacher and Marcus Lind-Martinez, A “New Haven” for Privacy: Connecticut Enacts Data Privacy Act, JD Supra (May 13, 2022), https://www.jdsupra.com/legalnews/a-new-haven-for-privacy-connecticut-6142711/.

[4] 2022 Conn. Acts 15 Reg. Sess.

[5] 2022 Conn. Acts 15 Reg. Sess.

[6] See 2022 Conn. Acts 15 Reg. Sess.; see Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art. 22, 2016 O.J. (L 119).

[7] 2022 Conn. Acts 15 Reg. Sess.

[8] 2022 Conn. Acts 15 Reg. Sess.

[9] See 2022 Conn. Acts 15 Reg. Sess.

[10] 2022 Conn. Acts 15 Reg. Sess.

[11] 2022 Conn. Acts 15 Reg. Sess.

[12] 2022 Conn. Acts 15 Reg. Sess.

[13] 2022 Conn. Acts 15 Reg. Sess.

[14] 2022 Conn. Acts 15 Reg. Sess.

[15] 2022 Conn. Acts 15 Reg. Sess.

[16] 2022 Conn. Acts 15 Reg. Sess.

[17] 2022 Conn. Acts 15 Reg. Sess.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Author: Brandon Tuley, JD, CIPP/E

Author: Brandon Tuley, JD, CIPP/E

Analyst / Licensed Attorney